Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:56 PM
Connect Directly

Businesses Backsliding On PCI Compliance

Most merchants that achieve compliance then fall out of it the next year, according to new Verizon data

It's been six years since the Payment Card Industry Data Security Standard (PCI DSS) was born, but most organizations worldwide still aren't remaining PCI-compliant year-round.

According to Verizon's newly published 2011 Payment Card Industry Compliance Report, 79 percent of organizations were not fully PCI compliant in their initial PCI audit in 2010, while only 21 percent were. That's about the same as last year's report, according to Verizon.

"Most of the clients in this review had been compliant with us previously or when another QSA" wrote the initial report of compliance, and most weren't new to PCI, says Jen Mack, director of Verizon's global PCI consulting services. "They were not able to maintain it throughout the year. They backslid."

Mack says that trend is likely in part due to other priorities overshadowing PCI throughout the year, but the underlying problem is that many organizations are not focusing on PCI as a year-round, long-term process. "[They] need a programmatic approach to make this easier to maintain ... there's a way to do it."

The organizations were achieving compliance and then at the next initial assessment, basically starting all over again in their rate of compliance. "It's still a good standard and it's not impossible to achieve compliance," Mack says. "The biggest thing in our report this year is that people are not able to or are not making the effort to maintain their compliance throughout the year."

Mack says the key is to fit PCI DSS requirements into a daily routine and to not just look at them as requirements that must be met when the qualified security assessor (QSA) comes knocking.

Verizon's report comes from findings in more than 100 PCI DSS assessments performed by its QSAs last year, and from data gathered by its investigative response group's work on payment card breach investigations. The company also analyzed the PCI data with findings from its 2011 Verizon Data Breach Investigations Report.

Joshua Daymont, principal with Securisea, says some companies are better at maintaining compliance than others. And it also depends on the details of the compliance report: Say a firm is found to have only 30 percent of its client machines running antivirus in an assessment, and then brings those machines into compliance with AV software. "Let's say the assessor comes back the next year and finds they have drifted out with the AV requirement, but only two computers don't have AV: they might be a computer that has not been used in a long time ... or a new computer and there was some process failure. In the report, it would show that they were out of compliance in those items, but the qualitative risk exposure is quite different" this year, he says.

That doesn't excuse noncompliance, he says, but that's an example of how the devil's in the details with assessments.

Verizon's report also found that nearly 90 percent of companies that were hit with breaches were not PCI-compliant. PCI clients scored better than breach victims by a 50 percent margin when it comes to PCI compliance. "...breach victims are less compliant than a normal population of organizations," according to the report. "Though the disparity between the groups fluctuates per requirement, on average, PCI clients scored better than breach victims by a 50 percent margin. So while ‘prove’ may be too strong a word to use in this case, the results do suggest that an organization wishing to avoid breaches is better off pursuing PCI DSS than shunning it altogether."

Even more disconcerting, however, were the areas in which they are slipping the most: in protecting stored cardholder data; tracking and monitoring access; regularly testing systems and processes; and maintaining security policies.

The lack of logging is a big red flag, according to security experts. "This is an outrage. The PCI Data Security Standard is a pretty low bar as far as computer security goes. The fact that companies are having a hard time maintaining compliance with it speaks to the sorry state of data security in the Cloud Age," says Bill Roth, CMO of LogLogic. "Verizon’s report showed that PCI 10, which requires companies to log all activity in the network, is one of the top three standards companies are failing to meet. There’s no excuse for failing to meet this standard. It’s not that hard -- start an appliance, point your logs, done. This is our personal information. Companies need to show their customers more respect and implement decent security."

But the bottom line is that even with PCI compliance, breaches are still occurring. That's because attackers are able to adjust their techniques as companies shore up their defenses, says Securisea's Daymont. "That is likely to go on for some time," he says. "To me, the biggest takeaway here is that PCI has a lot of great requirements, and one is that merchants have to use AV ... but the reality is that many AV solutions today just haven't been able to stop malware threats."

There were some bright spots in the Verizon report as well. Some 78 percent of testing procedures had been met at the time of the initial assessment, and the use of encryption was on the increase, with 72 percent encrypting the transmission of cardholder data over open networks, up from 63 percent last year. Some 83 percent won't accept payment via email now. "In many instances, they are going beyond simply making it a policy and are backing it up with automated filtering at the mail servers that deny any e-mails containing cardholder data," says the Verizon report.

A copy of the full report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-19
masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c and src/masqmail.c that results in improper privilege dropping.
PUBLISHED: 2019-11-19
Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context ...
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.